From 3a9e79e6d56740652a26fa87e29bafe676aa84ac Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 16:17:17 -0700
Subject: [PATCH 01/13] Filter only newt sites on private resources

---
 src/components/InternalResourceForm.tsx |  1 +
 src/components/site-selector.tsx        | 10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 50847a489..a4a793753 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -614,6 +614,7 @@ export function InternalResourceForm({
                                         <SitesSelector
                                             orgId={orgId}
                                             selectedSite={selectedSite}
+                                            filterTypes={["newt"]}
                                             onSelectSite={(site) => {
                                                 setSelectedSite(site);
                                                 field.onChange(site.siteId);
diff --git a/src/components/site-selector.tsx b/src/components/site-selector.tsx
index 4c3c97651..db23362dc 100644
--- a/src/components/site-selector.tsx
+++ b/src/components/site-selector.tsx
@@ -24,12 +24,14 @@ export type SitesSelectorProps = {
     orgId: string;
     selectedSite?: Selectedsite | null;
     onSelectSite: (selected: Selectedsite) => void;
+    filterTypes?: string[];
 };
 
 export function SitesSelector({
     orgId,
     selectedSite,
-    onSelectSite
+    onSelectSite,
+    filterTypes
 }: SitesSelectorProps) {
     const t = useTranslations();
     const [siteSearchQuery, setSiteSearchQuery] = useState("");
@@ -45,7 +47,9 @@ export function SitesSelector({
 
     // always include the selected site in the list of sites shown
     const sitesShown = useMemo(() => {
-        const allSites: Array<Selectedsite> = [...sites];
+        const allSites: Array<Selectedsite> = filterTypes
+            ? sites.filter((s) => filterTypes.includes(s.type))
+            : [...sites];
         if (
             debouncedQuery.trim().length === 0 &&
             selectedSite &&
@@ -54,7 +58,7 @@ export function SitesSelector({
             allSites.unshift(selectedSite);
         }
         return allSites;
-    }, [debouncedQuery, sites, selectedSite]);
+    }, [debouncedQuery, sites, selectedSite, filterTypes]);
 
     return (
         <Command shouldFilter={false}>

From 547865e0dab4a97c128b9d86f20462ba255c5e27 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 16:24:53 -0700
Subject: [PATCH 02/13] Mark targets unhealthy when site is down

Fix #2675
Fix #2700
Fix #1742
---
 server/routers/newt/handleNewtPingMessage.ts | 31 ++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/server/routers/newt/handleNewtPingMessage.ts b/server/routers/newt/handleNewtPingMessage.ts
index c2c4e7762..32f665758 100644
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -1,4 +1,4 @@
-import { db, newts, sites } from "@server/db";
+import { db, newts, sites, targetHealthCheck, targets } from "@server/db";
 import {
     hasActiveConnections,
     getClientConfigVersion
@@ -78,6 +78,32 @@ export const startNewtOfflineChecker = (): void => {
                     .update(sites)
                     .set({ online: false })
                     .where(eq(sites.siteId, staleSite.siteId));
+
+                const healthChecksOnSite = await db
+                    .select()
+                    .from(targetHealthCheck)
+                    .innerJoin(
+                        targets,
+                        eq(targets.targetId, targetHealthCheck.targetId)
+                    )
+                    .innerJoin(sites, eq(sites.siteId, targets.siteId))
+                    .where(eq(sites.siteId, staleSite.siteId));
+
+                for (const healthCheck of healthChecksOnSite) {
+                    logger.info(
+                        `Marking health check ${healthCheck.targetHealthCheck.targetHealthCheckId} offline due to site ${staleSite.siteId} being marked offline`
+                    );
+                    await db
+                        .update(targetHealthCheck)
+                        .set({ hcHealth: "unknown" })
+                        .where(
+                            eq(
+                                targetHealthCheck.targetHealthCheckId,
+                                healthCheck.targetHealthCheck
+                                    .targetHealthCheckId
+                            )
+                        );
+                }
             }
 
             // this part only effects self hosted. Its not efficient but we dont expect people to have very many wireguard sites
@@ -102,7 +128,8 @@ export const startNewtOfflineChecker = (): void => {
 
             // loop over each one. If its offline and there is a new update then mark it online. If its online and there is no update then mark it offline
             for (const site of allWireguardSites) {
-                const lastBandwidthUpdate = new Date(site.lastBandwidthUpdate!).getTime() / 1000;
+                const lastBandwidthUpdate =
+                    new Date(site.lastBandwidthUpdate!).getTime() / 1000;
                 if (
                     lastBandwidthUpdate < wireguardOfflineThreshold &&
                     site.online

From 69aa6e2d1dc837d67499c02230dc2b4d2b0f369c Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 17:00:06 -0700
Subject: [PATCH 03/13] Prevent increase in writes on reconnect

---
 .../routers/target/handleHealthcheckStatusMessage.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/server/routers/target/handleHealthcheckStatusMessage.ts b/server/routers/target/handleHealthcheckStatusMessage.ts
index 01cbdea81..7ea1730ce 100644
--- a/server/routers/target/handleHealthcheckStatusMessage.ts
+++ b/server/routers/target/handleHealthcheckStatusMessage.ts
@@ -77,7 +77,8 @@ export const handleHealthcheckStatusMessage: MessageHandler = async (
             const [targetCheck] = await db
                 .select({
                     targetId: targets.targetId,
-                    siteId: targets.siteId
+                    siteId: targets.siteId,
+                    hcStatus: targetHealthCheck.hcHealth
                 })
                 .from(targets)
                 .innerJoin(
@@ -85,6 +86,7 @@ export const handleHealthcheckStatusMessage: MessageHandler = async (
                     eq(targets.resourceId, resources.resourceId)
                 )
                 .innerJoin(sites, eq(targets.siteId, sites.siteId))
+                .innerJoin(targetHealthCheck, eq(targets.targetId, targetHealthCheck.targetId))
                 .where(
                     and(
                         eq(targets.targetId, targetIdNum),
@@ -101,6 +103,14 @@ export const handleHealthcheckStatusMessage: MessageHandler = async (
                 continue;
             }
 
+            // check if the status has changed
+            if (targetCheck.hcStatus === healthStatus.status) {
+                logger.debug(
+                    `Health status for target ${targetId} is already ${healthStatus.status}, skipping update`
+                );
+                continue;
+            }
+
             // Update the target's health status in the database
             await db
                 .update(targetHealthCheck)

From 08e4afaef01f33f390e69180c4e642720f7ec19b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 17:06:56 -0700
Subject: [PATCH 04/13] Update hp log message

---
 server/routers/newt/handleGetConfigMessage.ts  | 3 ++-
 server/routers/olm/handleOlmRegisterMessage.ts | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index fced51818..9c67f53ee 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -8,6 +8,7 @@ import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
 import { convertTargetsIfNessicary } from "../client/targets";
 import { canCompress } from "@server/lib/clientVersionChecks";
+import config from "@server/lib/config";
 
 export const handleGetConfigMessage: MessageHandler = async (context) => {
     const { message, client, sendToClient } = context;
@@ -55,7 +56,7 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
 
     if (existingSite.lastHolePunch && now - existingSite.lastHolePunch > 5) {
         logger.warn(
-            `handleGetConfigMessage: Site ${existingSite.siteId} last hole punch is too old, skipping`
+            `Site last hole punch is too old; skipping this register. The site is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`
         );
         return;
     }
diff --git a/server/routers/olm/handleOlmRegisterMessage.ts b/server/routers/olm/handleOlmRegisterMessage.ts
index 26dbff1bd..01495de3b 100644
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -20,6 +20,7 @@ import { handleFingerprintInsertion } from "./fingerprintingUtils";
 import { Alias } from "@server/lib/ip";
 import { build } from "@server/build";
 import { canCompress } from "@server/lib/clientVersionChecks";
+import config from "@server/lib/config";
 
 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     logger.info("Handling register olm message!");
@@ -274,7 +275,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     // TODO: I still think there is a better way to do this rather than locking it out here but ???
     if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0) {
         logger.warn(
-            "Client last hole punch is too old and we have sites to send; skipping this register"
+            `Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`
         );
         return;
     }

From 363c13c3878b60349caab73f19e5630032cbfb21 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 1 Apr 2026 09:53:49 -0700
Subject: [PATCH 05/13] Impvove communication

---
 README.md                                              | 2 +-
 messages/en-US.json                                    | 6 +++---
 src/app/[orgId]/settings/provisioning/pending/page.tsx | 6 ++++++
 src/components/PendingSitesTable.tsx                   | 7 +++++++
 src/components/SiteProvisioningKeysTable.tsx           | 1 +
 src/components/ui/controlled-data-table.tsx            | 4 +++-
 src/components/ui/data-table.tsx                       | 4 +++-
 7 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index bac7b7e56..28fc991c8 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,7 @@ Pangolin is an open-source, identity-based remote access platform built on WireG
 
 | <img width=500 /> | Description |
 |-----------------|--------------|
-| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
+| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing - no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
 | **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
 | **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
 
diff --git a/messages/en-US.json b/messages/en-US.json
index 412d50179..51bb996af 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -371,10 +371,10 @@
     "provisioningKeysUpdated": "Provisioning key updated",
     "provisioningKeysUpdatedDescription": "Your changes have been saved.",
     "provisioningKeysBannerTitle": "Site Provisioning Keys",
-    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup — no need to set up separate credentials for each site.",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
     "provisioningKeysBannerButtonText": "Learn More",
     "pendingSitesBannerTitle": "Pending Sites",
-    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review. Approve each site before it becomes active and gains access to your resources.",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
     "pendingSitesBannerButtonText": "Learn More",
     "apiKeysSettings": "{apiKeyName} Settings",
     "userTitle": "Manage All Users",
@@ -2346,7 +2346,7 @@
                 "description": "Enterprise features, 50 users, 50 sites, and priority support."
             }
         },
-        "personalUseOnly": "Personal use only (free license — no checkout)",
+        "personalUseOnly": "Personal use only (free license - no checkout)",
         "buttons": {
             "continueToCheckout": "Continue to Checkout"
         },
diff --git a/src/app/[orgId]/settings/provisioning/pending/page.tsx b/src/app/[orgId]/settings/provisioning/pending/page.tsx
index 637f828b8..4669f9160 100644
--- a/src/app/[orgId]/settings/provisioning/pending/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/pending/page.tsx
@@ -9,6 +9,8 @@ import DismissableBanner from "@app/components/DismissableBanner";
 import Link from "next/link";
 import { Button } from "@app/components/ui/button";
 import { ArrowRight, Plug } from "lucide-react";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 
 type PendingSitesPageProps = {
     params: Promise<{ orgId: string }>;
@@ -96,6 +98,10 @@ export default async function PendingSitesPage(props: PendingSitesPageProps) {
                     </Button>
                 </Link>
             </DismissableBanner>
+            <PaidFeaturesAlert
+                tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
+            />
+
             <PendingSitesTable
                 sites={siteRows}
                 orgId={params.orgId}
diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index 64417da7b..12abcf7c4 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -15,6 +15,8 @@ import { getNextSortOrder, getSortDirection } from "@app/lib/sortColumn";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { build } from "@server/build";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { type PaginationState } from "@tanstack/react-table";
 import {
     ArrowDown01Icon,
@@ -63,6 +65,10 @@ export default function PendingSitesTable({
 
     const api = createApiClient(useEnvContext());
     const t = useTranslations();
+    const { isPaidUser } = usePaidStatus();
+    const canUseSiteProvisioning =
+        isPaidUser(tierMatrix[TierFeature.SiteProvisioningKeys]) &&
+        build !== "oss";
 
     const booleanSearchFilterSchema = z
         .enum(["true", "false"])
@@ -450,6 +456,7 @@ export default function PendingSitesTable({
             onSearch={handleSearchChange}
             onRefresh={refreshData}
             isRefreshing={isRefreshing || isFiltering}
+            refreshButtonDisabled={!canUseSiteProvisioning}
             rowCount={rowCount}
             columnVisibility={{
                 niceId: false,
diff --git a/src/components/SiteProvisioningKeysTable.tsx b/src/components/SiteProvisioningKeysTable.tsx
index fafbe725e..97c2bc215 100644
--- a/src/components/SiteProvisioningKeysTable.tsx
+++ b/src/components/SiteProvisioningKeysTable.tsx
@@ -311,6 +311,7 @@ export default function SiteProvisioningKeysTable({
                 addButtonDisabled={!canUseSiteProvisioning}
                 onRefresh={refreshData}
                 isRefreshing={isRefreshing}
+                refreshButtonDisabled={!canUseSiteProvisioning}
                 addButtonText={t("provisioningKeysAdd")}
                 enableColumnVisibility={true}
                 stickyLeftColumn="name"
diff --git a/src/components/ui/controlled-data-table.tsx b/src/components/ui/controlled-data-table.tsx
index a0231bb8c..34a35455c 100644
--- a/src/components/ui/controlled-data-table.tsx
+++ b/src/components/ui/controlled-data-table.tsx
@@ -69,6 +69,7 @@ type ControlledDataTableProps<TData, TValue> = {
     onAdd?: () => void;
     onRefresh?: () => void;
     isRefreshing?: boolean;
+    refreshButtonDisabled?: boolean;
     isNavigatingToAddPage?: boolean;
     searchPlaceholder?: string;
     filters?: DataTableFilter[];
@@ -91,6 +92,7 @@ export function ControlledDataTable<TData, TValue>({
     onAdd,
     onRefresh,
     isRefreshing,
+    refreshButtonDisabled = false,
     searchPlaceholder = "Search...",
     filters,
     filterDisplayMode = "label",
@@ -335,7 +337,7 @@ export function ControlledDataTable<TData, TValue>({
                                 <Button
                                     variant="outline"
                                     onClick={onRefresh}
-                                    disabled={isRefreshing}
+                                    disabled={isRefreshing || refreshButtonDisabled}
                                 >
                                     <RefreshCw
                                         className={`mr-0 sm:mr-2 h-4 w-4 ${isRefreshing ? "animate-spin" : ""}`}
diff --git a/src/components/ui/data-table.tsx b/src/components/ui/data-table.tsx
index a0c11ffdf..c62afd329 100644
--- a/src/components/ui/data-table.tsx
+++ b/src/components/ui/data-table.tsx
@@ -174,6 +174,7 @@ type DataTableProps<TData, TValue> = {
     addButtonDisabled?: boolean;
     onRefresh?: () => void;
     isRefreshing?: boolean;
+    refreshButtonDisabled?: boolean;
     searchPlaceholder?: string;
     searchColumn?: string;
     defaultSort?: {
@@ -207,6 +208,7 @@ export function DataTable<TData, TValue>({
     addButtonDisabled = false,
     onRefresh,
     isRefreshing,
+    refreshButtonDisabled = false,
     searchPlaceholder = "Search...",
     searchColumn = "name",
     defaultSort,
@@ -624,7 +626,7 @@ export function DataTable<TData, TValue>({
                                 <Button
                                     variant="outline"
                                     onClick={onRefresh}
-                                    disabled={isRefreshing}
+                                    disabled={isRefreshing || refreshButtonDisabled}
                                 >
                                     <RefreshCw
                                         className={`mr-0 sm:mr-2 h-4 w-4 ${isRefreshing ? "animate-spin" : ""}`}

From 1bb89fce26d6ba022bbbd7d261c09ac2ac0c56fc Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Thu, 2 Apr 2026 12:21:53 +0100
Subject: [PATCH 06/13] enhance: Systemd newt unit

Add a systemd unit option directly from dashboard to prevent copy and paste mistakes
---
 messages/en-US.json                      |  3 ++
 src/components/newt-install-commands.tsx | 52 +++++++++++++++++++++++-
 2 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 51bb996af..e4a225f70 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Machine Clients",
     "install": "Install",
     "run": "Run",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "The display name of the client that can be changed later.",
     "clientAddress": "Client Address (Advanced)",
     "setupFailedToFetchSubnet": "Failed to fetch default subnet",
diff --git a/src/components/newt-install-commands.tsx b/src/components/newt-install-commands.tsx
index ba0363e3b..d7ff57c04 100644
--- a/src/components/newt-install-commands.tsx
+++ b/src/components/newt-install-commands.tsx
@@ -55,7 +55,7 @@ export function NewtSiteInstallCommands({
 
     const commandList: Record<Platform, Record<string, CommandItem[]>> = {
         unix: {
-            All: [
+            Direct: [
                 {
                     title: t("install"),
                     command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
@@ -64,6 +64,54 @@ export function NewtSiteInstallCommands({
                     title: t("run"),
                     command: `newt --id ${id} --secret ${secret} --endpoint ${endpoint}${acceptClientsFlag}`
                 }
+            ],
+            "Systemd Service": [
+                {
+                    title: t("install"),
+                    command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
+                },
+                {
+                    title: t("envFile"),
+                    command: `# Create the directory and environment file
+sudo install -d -m 0755 /etc/newt
+sudo tee /etc/newt/newt.env > /dev/null << 'EOF'
+NEWT_ID=${id}
+NEWT_SECRET=${secret}
+PANGOLIN_ENDPOINT=${endpoint}${!acceptClients ? `
+DISABLE_CLIENTS=true` : ""}
+EOF
+sudo chmod 600 /etc/newt/newt.env`
+                },
+                {
+                    title: t("serviceFile"),
+                    command: `sudo tee /etc/systemd/system/newt.service > /dev/null << 'EOF'
+[Unit]
+Description=Newt
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+EnvironmentFile=/etc/newt/newt.env
+ExecStart=/usr/local/bin/newt
+Restart=always
+RestartSec=2
+UMask=0077
+
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+EOF`
+                },
+                {
+                    title: t("enableAndStart"),
+                    command: `sudo systemctl daemon-reload
+sudo systemctl enable --now newt`
+                }
             ]
         },
         windows: {
@@ -298,7 +346,7 @@ function getPlatformName(platformName: Platform) {
 function getArchitectures(platform: Platform) {
     switch (platform) {
         case "unix":
-            return ["All"];
+            return ["Direct", "Systemd Service"];
         case "windows":
             return ["x64"];
         case "docker":

From a55dd769cfdc5f2fd50efa00b076e4c20dd243d4 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Thu, 2 Apr 2026 11:43:01 -0400
Subject: [PATCH 07/13] Revert "enhance: Systemd newt unit instructions"

---
 messages/en-US.json                      |  3 --
 src/components/newt-install-commands.tsx | 52 +-----------------------
 2 files changed, 2 insertions(+), 53 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index e4a225f70..51bb996af 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2607,9 +2607,6 @@
     "machineClients": "Machine Clients",
     "install": "Install",
     "run": "Run",
-    "envFile": "Environment File",
-    "serviceFile": "Service File",
-    "enableAndStart": "Enable and Start",
     "clientNameDescription": "The display name of the client that can be changed later.",
     "clientAddress": "Client Address (Advanced)",
     "setupFailedToFetchSubnet": "Failed to fetch default subnet",
diff --git a/src/components/newt-install-commands.tsx b/src/components/newt-install-commands.tsx
index d7ff57c04..ba0363e3b 100644
--- a/src/components/newt-install-commands.tsx
+++ b/src/components/newt-install-commands.tsx
@@ -55,7 +55,7 @@ export function NewtSiteInstallCommands({
 
     const commandList: Record<Platform, Record<string, CommandItem[]>> = {
         unix: {
-            Direct: [
+            All: [
                 {
                     title: t("install"),
                     command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
@@ -64,54 +64,6 @@ export function NewtSiteInstallCommands({
                     title: t("run"),
                     command: `newt --id ${id} --secret ${secret} --endpoint ${endpoint}${acceptClientsFlag}`
                 }
-            ],
-            "Systemd Service": [
-                {
-                    title: t("install"),
-                    command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
-                },
-                {
-                    title: t("envFile"),
-                    command: `# Create the directory and environment file
-sudo install -d -m 0755 /etc/newt
-sudo tee /etc/newt/newt.env > /dev/null << 'EOF'
-NEWT_ID=${id}
-NEWT_SECRET=${secret}
-PANGOLIN_ENDPOINT=${endpoint}${!acceptClients ? `
-DISABLE_CLIENTS=true` : ""}
-EOF
-sudo chmod 600 /etc/newt/newt.env`
-                },
-                {
-                    title: t("serviceFile"),
-                    command: `sudo tee /etc/systemd/system/newt.service > /dev/null << 'EOF'
-[Unit]
-Description=Newt
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-Type=simple
-User=root
-Group=root
-EnvironmentFile=/etc/newt/newt.env
-ExecStart=/usr/local/bin/newt
-Restart=always
-RestartSec=2
-UMask=0077
-
-NoNewPrivileges=true
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target
-EOF`
-                },
-                {
-                    title: t("enableAndStart"),
-                    command: `sudo systemctl daemon-reload
-sudo systemctl enable --now newt`
-                }
             ]
         },
         windows: {
@@ -346,7 +298,7 @@ function getPlatformName(platformName: Platform) {
 function getArchitectures(platform: Platform) {
     switch (platform) {
         case "unix":
-            return ["Direct", "Systemd Service"];
+            return ["All"];
         case "windows":
             return ["x64"];
         case "docker":

From 122079ddb294c2a0fedbaa79e4542539afd9816a Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Thu, 2 Apr 2026 17:01:52 +0100
Subject: [PATCH 08/13] split unix to linux and macos, show method everything
 other than windows, change nixos all to flake so makes sense under method

---
 messages/en-US.json                      |   3 +
 src/components/newt-install-commands.tsx | 106 ++++++++++++++++++-----
 2 files changed, 89 insertions(+), 20 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 51bb996af..e4a225f70 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2607,6 +2607,9 @@
     "machineClients": "Machine Clients",
     "install": "Install",
     "run": "Run",
+    "envFile": "Environment File",
+    "serviceFile": "Service File",
+    "enableAndStart": "Enable and Start",
     "clientNameDescription": "The display name of the client that can be changed later.",
     "clientAddress": "Client Address (Advanced)",
     "setupFailedToFetchSubnet": "Failed to fetch default subnet",
diff --git a/src/components/newt-install-commands.tsx b/src/components/newt-install-commands.tsx
index ba0363e3b..28581794c 100644
--- a/src/components/newt-install-commands.tsx
+++ b/src/components/newt-install-commands.tsx
@@ -10,14 +10,14 @@ import {
 import { CheckboxWithLabel } from "./ui/checkbox";
 import { OptionSelect, type OptionSelectOption } from "./OptionSelect";
 import { useState } from "react";
-import { FaCubes, FaDocker, FaWindows } from "react-icons/fa";
-import { Terminal } from "lucide-react";
+import { FaApple, FaCubes, FaDocker, FaLinux, FaWindows } from "react-icons/fa";
 import { SiKubernetes, SiNixos } from "react-icons/si";
 
 export type CommandItem = string | { title: string; command: string };
 
 const PLATFORMS = [
-    "unix",
+    "linux",
+    "macos",
     "docker",
     "kubernetes",
     "podman",
@@ -43,7 +43,7 @@ export function NewtSiteInstallCommands({
     const t = useTranslations();
 
     const [acceptClients, setAcceptClients] = useState(true);
-    const [platform, setPlatform] = useState<Platform>("unix");
+    const [platform, setPlatform] = useState<Platform>("linux");
     const [architecture, setArchitecture] = useState(
         () => getArchitectures(platform)[0]
     );
@@ -54,8 +54,68 @@ export function NewtSiteInstallCommands({
         : "";
 
     const commandList: Record<Platform, Record<string, CommandItem[]>> = {
-        unix: {
-            All: [
+        linux: {
+            Run: [
+                {
+                    title: t("install"),
+                    command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
+                },
+                {
+                    title: t("run"),
+                    command: `newt --id ${id} --secret ${secret} --endpoint ${endpoint}${acceptClientsFlag}`
+                }
+            ],
+            "Systemd Service": [
+                {
+                    title: t("install"),
+                    command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
+                },
+                {
+                    title: t("envFile"),
+                    command: `# Create the directory and environment file
+sudo install -d -m 0755 /etc/newt
+sudo tee /etc/newt/newt.env > /dev/null << 'EOF'
+NEWT_ID=${id}
+NEWT_SECRET=${secret}
+PANGOLIN_ENDPOINT=${endpoint}${!acceptClients ? `
+DISABLE_CLIENTS=true` : ""}
+EOF
+sudo chmod 600 /etc/newt/newt.env`
+                },
+                {
+                    title: t("serviceFile"),
+                    command: `sudo tee /etc/systemd/system/newt.service > /dev/null << 'EOF'
+[Unit]
+Description=Newt
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+EnvironmentFile=/etc/newt/newt.env
+ExecStart=/usr/local/bin/newt
+Restart=always
+RestartSec=2
+UMask=0077
+
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
+EOF`
+                },
+                {
+                    title: t("enableAndStart"),
+                    command: `sudo systemctl daemon-reload
+sudo systemctl enable --now newt`
+                }
+            ]
+        },
+        macos: {
+            Run: [
                 {
                     title: t("install"),
                     command: `curl -fsSL https://static.pangolin.net/get-newt.sh | bash`
@@ -131,7 +191,7 @@ WantedBy=default.target`
             ]
         },
         nixos: {
-            All: [
+            Flake: [
                 `nix run 'nixpkgs#fosrl-newt' -- --id ${id} --secret ${secret} --endpoint ${endpoint}${acceptClientsFlag}`
             ]
         }
@@ -172,9 +232,9 @@ WantedBy=default.target`
 
                 <OptionSelect<string>
                     label={
-                        ["docker", "podman"].includes(platform)
-                            ? t("method")
-                            : t("architecture")
+                        platform === "windows"
+                            ? t("architecture")
+                            : t("method")
                     }
                     options={getArchitectures(platform).map((arch) => ({
                         value: arch,
@@ -261,8 +321,10 @@ function getPlatformIcon(platformName: Platform) {
     switch (platformName) {
         case "windows":
             return <FaWindows className="h-4 w-4 mr-2" />;
-        case "unix":
-            return <Terminal className="h-4 w-4 mr-2" />;
+        case "linux":
+            return <FaLinux className="h-4 w-4 mr-2" />;
+        case "macos":
+            return <FaApple className="h-4 w-4 mr-2" />;
         case "docker":
             return <FaDocker className="h-4 w-4 mr-2" />;
         case "kubernetes":
@@ -272,7 +334,7 @@ function getPlatformIcon(platformName: Platform) {
         case "nixos":
             return <SiNixos className="h-4 w-4 mr-2" />;
         default:
-            return <Terminal className="h-4 w-4 mr-2" />;
+            return <FaLinux className="h-4 w-4 mr-2" />;
     }
 }
 
@@ -280,8 +342,10 @@ function getPlatformName(platformName: Platform) {
     switch (platformName) {
         case "windows":
             return "Windows";
-        case "unix":
-            return "Unix & macOS";
+        case "linux":
+            return "Linux";
+        case "macos":
+            return "macOS";
         case "docker":
             return "Docker";
         case "kubernetes":
@@ -291,14 +355,16 @@ function getPlatformName(platformName: Platform) {
         case "nixos":
             return "NixOS";
         default:
-            return "Unix / macOS";
+            return "Linux";
     }
 }
 
 function getArchitectures(platform: Platform) {
     switch (platform) {
-        case "unix":
-            return ["All"];
+        case "linux":
+            return ["Run", "Systemd Service"];
+        case "macos":
+            return ["Run"];
         case "windows":
             return ["x64"];
         case "docker":
@@ -308,8 +374,8 @@ function getArchitectures(platform: Platform) {
         case "podman":
             return ["Podman Quadlet", "Podman Run"];
         case "nixos":
-            return ["All"];
+            return ["Flake"];
         default:
-            return ["x64"];
+            return ["Run"];
     }
 }

From d5837ab718729b7ff0bfc062882a12c491a7f7a6 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 2 Apr 2026 21:57:59 -0400
Subject: [PATCH 09/13] Fix to use the stored data

---
 src/services/locale.ts | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/services/locale.ts b/src/services/locale.ts
index 3bdf688bf..81be42bc1 100644
--- a/src/services/locale.ts
+++ b/src/services/locale.ts
@@ -22,12 +22,21 @@ export async function getUserLocale(): Promise<Locale> {
         const res = await internal.get("/user", await authCookieHeader());
         const userLocale = res.data?.data?.locale;
         if (userLocale && locales.includes(userLocale as Locale)) {
-            // Set the cookie so subsequent requests don't need the API call
-            (await cookies()).set(COOKIE_NAME, userLocale, {
-                maxAge: COOKIE_MAX_AGE,
-                path: "/",
-                sameSite: "lax"
-            });
+            // Try to cache in a cookie so subsequent requests skip the API
+            // call. cookies().set() is only permitted in Server Actions and
+            // Route Handlers — not during rendering — so we isolate it so
+            // that a write failure doesn't prevent the locale from being
+            // returned for the current request.
+            try {
+                (await cookies()).set(COOKIE_NAME, userLocale, {
+                    maxAge: COOKIE_MAX_AGE,
+                    path: "/",
+                    sameSite: "lax"
+                });
+            } catch {
+                // Cannot set cookies in this context (e.g. during rendering);
+                // the correct locale is still returned below.
+            }
             return userLocale as Locale;
         }
     } catch {

From d83fa63af587013cba18496938c97fd5db7defe3 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 2 Apr 2026 21:58:14 -0400
Subject: [PATCH 10/13] Fix to null out the rewrite on the frontend too

---
 .../settings/resources/proxy/[niceId]/proxy/page.tsx | 12 ++++++++++--
 .../[orgId]/settings/resources/proxy/create/page.tsx | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
index 3001491f1..3d6e6186b 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
@@ -400,7 +400,11 @@ function ProxyResourceTargetsForm({
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId, config)
+                                    updateTarget(row.original.targetId,
+                                        config.path === null && config.pathMatchType === null
+                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                            : config
+                                    )
                                 }
                                 trigger={
                                     <Button
@@ -424,7 +428,11 @@ function ProxyResourceTargetsForm({
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId, config)
+                                    updateTarget(row.original.targetId,
+                                        config.path === null && config.pathMatchType === null
+                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                            : config
+                                    )
                                 }
                                 trigger={
                                     <Button
diff --git a/src/app/[orgId]/settings/resources/proxy/create/page.tsx b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
index b651a06bb..f057c07c4 100644
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -776,7 +776,11 @@ export default function Page() {
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId, config)
+                                    updateTarget(row.original.targetId,
+                                        config.path === null && config.pathMatchType === null
+                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                            : config
+                                    )
                                 }
                                 trigger={
                                     <Button
@@ -800,7 +804,11 @@ export default function Page() {
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId, config)
+                                    updateTarget(row.original.targetId,
+                                        config.path === null && config.pathMatchType === null
+                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                            : config
+                                    )
                                 }
                                 trigger={
                                     <Button

From dab38ff82cfae28fb6783ba7e605fec52e6473ad Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 3 Apr 2026 11:16:56 -0400
Subject: [PATCH 11/13] use debug log on log stream start

---
 server/private/lib/logStreaming/LogStreamingManager.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts
index 04e35ad00..0067c0690 100644
--- a/server/private/lib/logStreaming/LogStreamingManager.ts
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -127,7 +127,7 @@ export class LogStreamingManager {
     start(): void {
         if (this.isRunning) return;
         this.isRunning = true;
-        logger.info("LogStreamingManager: started");
+        logger.debug("LogStreamingManager: started");
         this.schedulePoll(POLL_INTERVAL_MS);
     }
 
@@ -770,4 +770,4 @@ export class LogStreamingManager {
 
 function sleep(ms: number): Promise<void> {
     return new Promise((resolve) => setTimeout(resolve, ms));
-}
\ No newline at end of file
+}

From 5056cba85d9be418c815b2f02a74357442851680 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 11:25:12 -0400
Subject: [PATCH 12/13] Add siem to migration

---
 server/setup/scriptsPg/1.17.0.ts | 44 ++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index ea66948ab..21dd3a224 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -104,6 +104,42 @@ export default async function migration() {
                	CONSTRAINT "userOrgRoles_userId_orgId_roleId_unique" UNIQUE("userId","orgId","roleId")
             );
         `);
+
+        await db.execute(sql`
+            CREATE TABLE "eventStreamingCursors" (
+               	"cursorId" serial PRIMARY KEY NOT NULL,
+               	"destinationId" integer NOT NULL,
+               	"logType" varchar(50) NOT NULL,
+               	"lastSentId" bigint DEFAULT 0 NOT NULL,
+               	"lastSentAt" bigint
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "eventStreamingDestinations" (
+               	"destinationId" serial PRIMARY KEY NOT NULL,
+               	"orgId" varchar(255) NOT NULL,
+               	"sendConnectionLogs" boolean DEFAULT false NOT NULL,
+               	"sendRequestLogs" boolean DEFAULT false NOT NULL,
+               	"sendActionLogs" boolean DEFAULT false NOT NULL,
+               	"sendAccessLogs" boolean DEFAULT false NOT NULL,
+               	"type" varchar(50) NOT NULL,
+               	"config" text NOT NULL,
+               	"enabled" boolean DEFAULT true NOT NULL,
+               	"createdAt" bigint NOT NULL,
+               	"updatedAt" bigint NOT NULL
+            );
+        `);
+
+        await db.execute(
+            sql`ALTER TABLE "eventStreamingCursors" ADD CONSTRAINT "eventStreamingCursors_destinationId_eventStreamingDestinations_destinationId_fk" FOREIGN KEY ("destinationId") REFERENCES "public"."eventStreamingDestinations"("destinationId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "eventStreamingDestinations" ADD CONSTRAINT "eventStreamingDestinations_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`CREATE UNIQUE INDEX "idx_eventStreamingCursors_dest_type" ON "eventStreamingCursors" USING btree ("destinationId","logType");`
+        );
         await db.execute(
             sql`ALTER TABLE "userOrgs" DROP CONSTRAINT "userOrgs_roleId_roles_roleId_fk";`
         );
@@ -177,8 +213,12 @@ export default async function migration() {
             sql`CREATE INDEX "idx_accessAuditLog_siteResourceId" ON "connectionAuditLog" USING btree ("siteResourceId");`
         );
         await db.execute(sql`ALTER TABLE "userInvites" DROP COLUMN "roleId";`);
-        await db.execute(sql`ALTER TABLE "siteProvisioningKeys" ADD COLUMN "approveNewSites" boolean DEFAULT true NOT NULL;`);
-        await db.execute(sql`ALTER TABLE "sites" ADD COLUMN "status" varchar DEFAULT 'approved';`);
+        await db.execute(
+            sql`ALTER TABLE "siteProvisioningKeys" ADD COLUMN "approveNewSites" boolean DEFAULT true NOT NULL;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "sites" ADD COLUMN "status" varchar DEFAULT 'approved';`
+        );
 
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");

From fee780cb81a3763ada7a015e34fb01093f313cfe Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 3 Apr 2026 11:29:08 -0400
Subject: [PATCH 13/13] Add siem to migration

---
 server/setup/scriptsSqlite/1.17.0.ts | 56 +++++++++++++++++++++++++---
 1 file changed, 51 insertions(+), 5 deletions(-)

diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 28877f16e..28929fc63 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -76,9 +76,15 @@ export default async function migration() {
             `
             ).run();
 
-            db.prepare(`CREATE INDEX 'idx_accessAuditLog_startedAt' ON 'connectionAuditLog' ('startedAt');`).run();
-            db.prepare(`CREATE INDEX 'idx_accessAuditLog_org_startedAt' ON 'connectionAuditLog' ('orgId','startedAt');`).run();
-            db.prepare(`CREATE INDEX 'idx_accessAuditLog_siteResourceId' ON 'connectionAuditLog' ('siteResourceId');`).run();
+            db.prepare(
+                `CREATE INDEX 'idx_accessAuditLog_startedAt' ON 'connectionAuditLog' ('startedAt');`
+            ).run();
+            db.prepare(
+                `CREATE INDEX 'idx_accessAuditLog_org_startedAt' ON 'connectionAuditLog' ('orgId','startedAt');`
+            ).run();
+            db.prepare(
+                `CREATE INDEX 'idx_accessAuditLog_siteResourceId' ON 'connectionAuditLog' ('siteResourceId');`
+            ).run();
 
             db.prepare(
                 `
@@ -168,6 +174,42 @@ export default async function migration() {
                 );
             `
             ).run();
+
+            db.prepare(
+                `
+                CREATE TABLE 'eventStreamingCursors' (
+                   	'cursorId' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+                   	'destinationId' integer NOT NULL,
+                   	'logType' text NOT NULL,
+                   	'lastSentId' integer DEFAULT 0 NOT NULL,
+                   	'lastSentAt' integer,
+                   	FOREIGN KEY ('destinationId') REFERENCES 'eventStreamingDestinations'('destinationId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE UNIQUE INDEX 'idx_eventStreamingCursors_dest_type' ON 'eventStreamingCursors' ('destinationId','logType');--> statement-breakpoint
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'eventStreamingDestinations' (
+                   	'destinationId' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	'sendConnectionLogs' integer DEFAULT false NOT NULL,
+                   	'sendRequestLogs' integer DEFAULT false NOT NULL,
+                   	'sendActionLogs' integer DEFAULT false NOT NULL,
+                   	'sendAccessLogs' integer DEFAULT false NOT NULL,
+                   	'type' text NOT NULL,
+                   	'config' text NOT NULL,
+                   	'enabled' integer DEFAULT true NOT NULL,
+                   	'createdAt' integer NOT NULL,
+                   	'updatedAt' integer NOT NULL,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
             db.prepare(
                 `INSERT INTO '__new_userInvites'("inviteId", "orgId", "email", "expiresAt", "token") SELECT "inviteId", "orgId", "email", "expiresAt", "token" FROM 'userInvites';`
             ).run();
@@ -191,8 +233,12 @@ export default async function migration() {
                 `ALTER TABLE 'user' ADD 'marketingEmailConsent' integer DEFAULT false;`
             ).run();
             db.prepare(`ALTER TABLE 'user' ADD 'locale' text;`).run();
-            db.prepare(`ALTER TABLE 'siteProvisioningKeys' ADD COLUMN 'approveNewSites' integer DEFAULT 1 NOT NULL;`).run();
-            db.prepare(`ALTER TABLE 'sites' ADD COLUMN 'status' text DEFAULT 'approved';`).run();
+            db.prepare(
+                `ALTER TABLE 'siteProvisioningKeys' ADD COLUMN 'approveNewSites' integer DEFAULT 1 NOT NULL;`
+            ).run();
+            db.prepare(
+                `ALTER TABLE 'sites' ADD COLUMN 'status' text DEFAULT 'approved';`
+            ).run();
         })();
 
         db.pragma("foreign_keys = ON");